A German team has revealed that a flaw in the very system of storing data online via mobile applications is leading to 56 million items of unprotected data in products they studied so far with more in store.
Whether they are passwords, addresses, door codes, location data, games, social networks, messaging, medical and bank transfer apps — all are vulnerable to hackers.
The major faux pax lies in the authentication code and the way it was written by app developers and the way it was used when storing data in online databases, said the team from Darmstadt University of Technology. The team leader of the project, Eric Bodden, said some billions of records would have been hit by the flaw.
“In almost every category we found an app which has this vulnerability in it,” said Siegfried Rasthofer, another team member from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.
They said these apps user services like Amazon’s Web Services or Facebook’s Parse to store and exchange or retrieve data choosing the default option of letters and numbers embedded in the software’s code, called a token, which can be extracted and tweaked in the app, which then gives them access to the private data of all users of that app stored on the server.
The researchers have declined to name the vulnerable applications but said they have informed Apple, Facebook, Amazon and Google so far. Rathofer said Facebook’s Parse customers, some of them world’s biggest companies, have been affected.
The vulnerability of mobile device is the main avenue of all the vulnerability, said German researchers, as implementing stronger security is harder, and partly because developers are in a rush to release their apps, without thorough security checks
Team leader Eric Bodden said the new discovery is as big as the Heartbleed bug that had threatened half the world Internet last year, making half a million web servers susceptible to data theft.